Cryptography-Digest Digest #694, Volume #13 Thu, 15 Feb 01 20:13:00 EST
Contents:
Re: "RSA vs. One-time-pad" or "the perfect enryption" ("Douglas A. Gwyn")
Re: CipherText patent still pending (Benjamin Goldberg)
Re: Factoring (and not the Philippino :) (Benjamin Goldberg)
Re: TLS record compression (Gregory G Rose)
Re: asking for stream cipher resource ("Paul Pires")
Re: Key Exchange (Benjamin Goldberg)
Re: TLS record compression (SCOTT19U.ZIP_GUY)
Re: National Security Nightmare? (Mok-Kong Shen)
Fast DES-crypt question ("Didier F.")
Re: "RSA vs. One-time-pad" or "the perfect enryption" (John Savard)
Re: National Security Nightmare? (John Savard)
Re: TLS record compression (John Savard)
Re: "RSA vs. One-time-pad" or "the perfect enryption" ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: "RSA vs. One-time-pad" or "the perfect enryption"
Date: Thu, 15 Feb 2001 20:41:59 GMT
All I could see in that argument was that you want to consider
any decrypting key to be a "trapdoor". If that is the case,
then why worry about it.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: CipherText patent still pending
Date: Thu, 15 Feb 2001 22:01:31 GMT
Douglas A. Gwyn wrote:
>
> Kenneth Almquist wrote:
> > What we need to achieve your goal is stronger results in complexity
> > theory. If P = NP, then no strong ciphers exist. So the first step
> > to building a cipher which is provably strong against any attack is
> > to prove that P != NP. After this is done, we can examine the proof
> > and try to extend it to show that some particular encryption
> > algorithm is secure.
>
> I don't think that approach would help much. Consider that so far
> as we know, P = NP but we haven't found any proof of it yet. Oops,
> did all our ciphers just fall apart? No.
Who is this "we" that "knows" that P = NP?
--
A solution in hand is worth two in the book.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Factoring (and not the Philippino :)
Date: Thu, 15 Feb 2001 22:08:25 GMT
Michael Brown wrote:
>
> "Benjamin Goldberg" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Michael Brown wrote:
> > [snip]
> > > The only problem that I have at the moment is for solving for when
> > > the 2 LSBs of the product are not both 1 (however, this should
> > > immediately kill ~50% of current RSA keys I presume? That's an
> > > interesting question - do 50% of prime numbers have a second least
> > > significant bit of 1?). The algebraic approach works, and is
> > > fairly easy to see how to implement (constant*a combination of a's
> > > and b's), but hard to actually implement.
> >
> > Since all prime numbers >2 are odd, all prime numbers used by RSA
> > will have the LSB set.
>
> What I meant by "the two LSBs of the product" are the two left most
> digits, ie bits 0 and 1. Ditto for the "second least significant bit"
> - I meant bit 1 (in a zero based numbering system).
"left most"? This is an utterly *absurd* adjective phrase, considering
you haven't specified endianness.
When I said LSB, I meant least-significant-bit. Consider any odd
number. Write it in binary. Is it's least significant bit 0 or 1?
Unless you were attempting to say that your algorithm only works for [or
works best for] pq values whose factors are both 3 mod 4; ie, of each
factor, the two LSBs are both 1.
--
A solution in hand is worth two in the book.
------------------------------
From: [EMAIL PROTECTED] (Gregory G Rose)
Subject: Re: TLS record compression
Date: 15 Feb 2001 14:18:42 -0800
In article <jpQi6.253133$[EMAIL PROTECTED]>,
Bryan Mongeau <[EMAIL PROTECTED]> wrote:
>Is there any disadvantage to compressing after encryption? If not, why
>isn't it commonplace?
There's a fairly big disadvantage: it doesn't
work. If the encryption algorithm is any good,
it's output will appear random, and the best any
compression algorithm can do is leave it alone.
You might occasionally get a small compression,
but the overhead will in average expand the
message. Sort of like gambling at a casino.
Greg.
--
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/
Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: asking for stream cipher resource
Date: Thu, 15 Feb 2001 14:19:20 -0800
Trevor L. Jackson, III <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Anthony Stephen Szopa wrote:
>
> > Eric wrote:
> > >
> > > Could any one give me some web sites about stream cipher background,
> > > publications etc. ?
> >
> > http://www.ciphile.com
>
> Now that's just a little too raw. Many people have told you that your
> site is garbage. How dare you lead an innocent astray?
>
> Such colossal effrontery is unacceptable. Prepare to be flamed every time
> you show your keyboard in this newsgroup.
>
> Twit.
Never wrestle with a pig.
You both get muddy but da pig likes it.
Paul
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Key Exchange
Date: Thu, 15 Feb 2001 22:37:21 GMT
Michael Brown wrote:
>
> "George" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > I'm working on a project where I need to have a client and a server
> > agree on a session key. What algorithm would be the MOST secure to
> > use?
> > (Keeping in mind there is ONLY Alice and Bob and NO Trent). If
> > DiffieHelman were to be used, how often should Alice and Bob
> > generate new session keys? Any help is greatly appreciated.
> > Thanks.
>
> Trent? Is this a MITM or another Eve?
Trent is/would be a third party that is a Trusted Entity.
If A and B want to use DH to generate their session key, it is perfectly
reasonable to do so only once for the entire session.
However, to avoid MITM attacks, each value needs that is transmitted in
the DH exchange needs to be either signed or encrypted with one party's
public key.
For example:
There exists an RSA key pair ((p,q,d),(pq,e)).
A knows (p,q,d), and B knows (pq,e).
When A sends his DH info to B, he signs it with (p,q,d).
When B sends his DH info to A, he encrypts it with (pq,e).
B, of course, must know/trust that (pq,e) is the public component of A's
key before this exchange occurs. For this trust to come to be, (pq,e)
must have been sent by some secure medium, or signed by a trusted third
party (verisign, etc). Note that the trusted third party is not
involved in the DH exchange, just in turning the public key into a
public key certificate.
--
A solution in hand is worth two in the book.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: TLS record compression
Date: 15 Feb 2001 22:53:38 GMT
[EMAIL PROTECTED] (Gregory G Rose) wrote in <96hkk2$[EMAIL PROTECTED]>:
>In article <jpQi6.253133$[EMAIL PROTECTED]>,
>Bryan Mongeau <[EMAIL PROTECTED]> wrote:
>>Is there any disadvantage to compressing after encryption? If not, why
>>isn't it commonplace?
>
>There's a fairly big disadvantage: it doesn't
>work. If the encryption algorithm is any good,
>it's output will appear random, and the best any
>compression algorithm can do is leave it alone.
>You might occasionally get a small compression,
>but the overhead will in average expand the
>message. Sort of like gambling at a casino.
>
One could be encrypting text using methods that
only encrypt text will small alphabets sort of like
Enigma. The resulting file will appear random
in the set of characters used. But for storage and
transmission you could compress to a binary file.
One could also do something exotic for personal
use or with a friend. Encrypt your file using your
favorite super duper encryption method that produce
a nice binary looking file. THen expand it to text using
one of my conditional static 1-1 (bijective) huffman
uncompressors where the condition file is from some
standard english text known only to you and your friend.
then compress this and send it. It effectively adds another
layer of encryption and getting a file of characters that
closely matches real text but not being real text will disguse
not only the encryption method you used but will lead
attackers going down blind alleys since it looks like a classical
method and it is not.
There are many reasons why one could compress after encryption.
But in general except for specail cases its best to compress
first then encrypt. I would guess the safest bet if one wants
good compress and encryption combined. ( assuming rijndael is
any good) is to use Matts BICOM and its free source code included.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: National Security Nightmare?
Date: Fri, 16 Feb 2001 00:26:53 +0100
"Douglas A. Gwyn" wrote:
>
> Mok-Kong Shen wrote:
> > I don't know but I conjecture that the days where one
> > intercepted messages to and from foreign embassies etc.
> > as told in books like those of Kahn are definitely
> > byegone. Since the channels are virtually infinite in
> > number, one can very frequently switch these, rendering
> > tracking very hard.
>
> In practice, channels are readily identifiable. To the
> extent that frequency hopping is used, consider that the
> entire relevant spectrum can be captured in a recording
> so you can play it back as often as required during the
> analysis.
If I don't err, spread sprectrum was originally designed
with some intention of escaping from tracking. Your
information indicates that they have failed in that. What
I meant is that there can be many channels employed that
are not located in the same band. Their numbers and
periods of use (for different logical channels) consitute
certainly some parameters that can be employed to the
advantage of the communication partners.
>
> > ... So, similarly one can maintain a large
> > number of parallel channels transmitting encrypted
> > unimportant materials or even rubbish to divert the
> > opponent's attention and exhaust his computing resources
> > or at least decrease his speed of decryption which can
> > be of value when messages are only of limited duration
> > of significance.
>
> Jamming has been employed as a countermeasure since before
> WWII. History has shown that it just leads to the
> development of counter-countermeasures. The battle becomes
> more expensive for both sides without accomplishing much.
What I described is the busy channel. Right, jamming and
anti-jamming have continued to be research topics till
this day. I have no idea of the cost of implementation
but apparently that's justified (or one has to follow
suit simply because the adversaries have it, like in all
armement issues).
>
> > I am not sure that it is easy to pick, once there is
> > sufficient 'mass' of public use of encryption. If there is
> > out of a certain geographical region daily one hundred
> > tausend of encrypted e-mails and only one from a criminal,
> > how is the agency going to search without looking at them
> > all, excepting that it already has some informations as
> > to who the suspected persons are?
>
> IPsec generally leaves the routing addresses in clear,
> so the scan can be narrowed down to just the subnets
> containing the nodes under suspicion. Anyway, it is
> already necessary to have sufficient information to
> draw attention to a target; while all traffic on a link
> might be captured, only a particularly promising subset
> of it is analyzed.
The problem is that, if one doesn't have any information
to start, then it is really like finding needles in
haystack. Without decryption of all encrypted mails,
how is one to pick out the suspected nodes, if the
absolute majority are innocent? Otherwise, it is a
(constant) competition between the intelligence of the
parties involved. On the one side is tracing a target, on
the other side is to escape that through e.g. movement.
In WWII the operation of clandestine radio stations was
no different, only that the means available to both sides
were not so advanced at that time.
> > Thanks for the explanation. I was in fact stupified
> > (in my wrong interpretation) by the richness of the top
> > terrorist.
>
> bin Laden is reportedly as rich as some nation-states,
> but not to the tune of 3 trillion dollars per year.
> It does point up the need to instill ethics as part of
> education, because such rich organizations can otherwise
> buy whatever technical expertise they need to conduct
> their "business". If the human race is to have a decent
> future, it will be only because a critical threshold of
> intelligence and education in an individual is usually
> enough to deter him from assisting evildoers.
I am a pessimist in this respect. I am not sure how ethics
(or religion, including the religion of the terrorist)
could effect any essential change in that matter, bearing
in mind terrorists are abnormal personalities much like
the dictators. Anyway, Ethics dwarfs to nothing before
Hungry in my convition (really noble persons excepted).
Terrorism breeds upon poverty, directly or indirectly.
That's way I said previously that the fundamental solution
would lie in an appropriate reduction of the difference
between rich and poor people of the world.
>
> > The boom of telecom industry is in my view
> > a wavefront parallel to that of PC that precedes it.
>
> Indeed, Sun Microsystems in some of its PR is now calling
> attention to the equivalent of "Moore's law" for network
> capacity as opposed to computational engines. This is
> consistent with their slogan that "the computer *is* the
> network". I don't quite agree with the slogan, but there
> is certainly a dramatic growth in global network traffic.
>
> > ... (I was the other day attending a podium discussion
> > about a study of influence of cellphone antennas ...)
>
> If you run across any *science* pertinent to that issue,
> I'd like to hear about it. So far it seems to have been
> generated out of nothing by the new Luddites.
If one sees the number of research projects done, it
certainly doesn't seem that the scientists involved were
doing sort of psychic research (parapsychology). Definite
results are difficult to arrive at, just like currently
the BSE issue, perhaps also like the question of
long term effects of pollution. The one I referred to
was a comparatively small one done for the government
of Bavaria by scientists of two universities. The cellphone
industry shared exactly 50% of the costs and chose the
farms where measuments and tests were to be performed.
(Whether one thinks that's remarkable is beyond my comments.)
> > The loss of the ability to read [terrorist] secrets can
> > have extremely high impacts, I suppose. ...
>
> That presupposes that ability to read the secrets is the
> natural order of things. Was crime so much worse before
> the development of telephone wiretaps? Of course law
> enforcement agencies don't like to lose capabilities that
> they have come to depend on, but *change* is natural, and
> they need to deal with it by being adaptable and innovative
> themselves.
I didn't mean that law enforcement shouldn't catch up
with technical advancements. They should, if the laws
want them to perform certain tasks that need these
(people's view of the laws themselves is another matter),
only that the availability of strong encryption renders
their job increasingly more difficult, if not hopeless
in the long term.
M. K. Shen
------------------------------
From: "Didier F." <[EMAIL PROTECTED]>
Subject: Fast DES-crypt question
Date: Thu, 15 Feb 2001 23:53:17 GMT
Hi everyone,
Where can i get the latest - fastest version of crypt? I have some
source code based upon Eric Young's method, but that's from 1993.
So before i convert it to assembler, i would like to know if there is
a newer version and where i can find it.
Also if someone wrote assebler code for crypt on a x86 (586 would do)
where can i get it?
Thanks.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: "RSA vs. One-time-pad" or "the perfect enryption"
Date: Fri, 16 Feb 2001 00:03:43 GMT
On Thu, 15 Feb 2001 15:59:13 +0100, "Sebastian Gottschalk"
<[EMAIL PROTECTED]> wrote, in part:
>Both RSA and DSS are not the answer, because the inverse factorization is a
>trapdoor, still time consuming, but how long will it be??? Is there any real
>unbreakable algorithm where both keys are not the same?
No.
There is no algorithm with the unbreakability of the one-time-pad that
functions like a public-key cryptosystem.
Essentially, one can divide ciphers up into three classes.
1)
The one-time-pad and its equivalents.
It is completely unbreakable, but for a given amount of key, you can
only send an equivalent amount of messages. So you have to exchange
keys in advance - and you must allow for the possibility of having to
make another exchange of keys when you run out.
2)
Conventional ciphers.
Here, you have a short, convenient key. But theoretically, it can
always be broken: once you've sent a message longer than the key, it
can at least be broken by a brute-force attack. But you can make the
key long enough to make that impractical, and you can make the cipher
as complicated as you want.
So you don't have provable unbreakability, but you can get so
elaborate that there really isn't much to worry about.
3)
Public-key ciphers.
Here, you have to create information that you give to people which
tells them how to send messages to you. You keep secret, though,
something additional which lets you read those messages.
Since what you sent let people write the messages, how to read them is
- must be - implicit in what you sent.
The only reason this works as a cipher system is because there happens
to be a mathematical 'trick' it is based on.
There doesn't seem to be a way around it. If you want convenience, you
have to pay for it with a loss of security.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: National Security Nightmare?
Date: Fri, 16 Feb 2001 00:06:56 GMT
On Thu, 15 Feb 2001 18:37:12 GMT, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote, in part:
>If the human race is to have a decent
>future, it will be only because a critical threshold of
>intelligence and education in an individual is usually
>enough to deter him from assisting evildoers.
The problem is, though, that more and more sophisticated things are
becoming available for anonymous purchase in the proverbial
"supermarket". The movement of this threshold downwards is a nearly
inevitable consequence of the advancement of technology.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: TLS record compression
Date: Fri, 16 Feb 2001 00:11:55 GMT
On Thu, 15 Feb 2001 12:59:59 GMT, Bryan Mongeau <[EMAIL PROTECTED]>
wrote, in part:
>I remember reading about compression header vulnerabilities to
>cryptanalysis,
>Is there any disadvantage to compressing after encryption? If not, why
>isn't it commonplace?
For one thing, a header is not an inherent part of compression.
Program utilities specifically designed for compression will use
headers, but if an encryption protocol includes compression as a part,
there is no reason to create problems by inserting a header.
Compression works by depending on characteristics of the text being
compressed. So a picture consists of colors that usually only change a
small amount from one pixel to the next. Text contains only the
printable ASCII characters, and some of them are more common than
others.
Encryption, because it scrambles what it operates on, destroys the
characteristics that are used in order to compress information.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: "RSA vs. One-time-pad" or "the perfect enryption"
Date: 16 Feb 2001 00:41:25 GMT
John Savard <[EMAIL PROTECTED]> wrote:
> On Thu, 15 Feb 2001 15:59:13 +0100, "Sebastian Gottschalk"
> <[EMAIL PROTECTED]> wrote, in part:
>>Both RSA and DSS are not the answer, because the inverse factorization is a
>>trapdoor, still time consuming, but how long will it be??? Is there any real
>>unbreakable algorithm where both keys are not the same?
[ ... lots snipped here ... ]
> There doesn't seem to be a way around it. If you want convenience, you
> have to pay for it with a loss of security.
Actually, it's a little more than "doesn't seem to be a way around
it." There *isn't* a way around it. In particular, breaking a
public-key cipher can never be harder than solving an NP-complete
problem, no matter what. So, for instance, there can't be a public
key algorithm where breaking it would require double-exponential time.
And most definitely there can't be one where breaking is impossible
(like a one-time pad).
Furthermore, that also has another interesting consequence. If it
turns out that P=NP, with truly efficient algorithms for NP-complete
problems, then public key cryptography pretty much ceases to exist (at
least as we know it -- maybe there could be functions that are O(n) to
encrypt and Omega(n^4) to break, and that might be useful, but that's
very different from the apparently super-polynomial gap we have
today).
--
Steve Tate --- srt[At]cs.unt.edu | Gratuitously stolen quote:
Dept. of Computer Sciences | "The box said 'Requires Windows 95, NT,
University of North Texas | or better,' so I installed Linux."
Denton, TX 76201 |
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
